She also counseled sponsors who are considering or who have purchased cyber insurance: As with entering into any contract, read the fine print.

For example, she asked: Is the insurance capped at a certain amount? Does the insurance cover cyberattacks against individuals, or the plan members in aggregate? What are the deductibles? What is the cost of credit monitoring and/or the cost of notification of cyberattacks? If a cyberattack is caused in part by a user's negligence, who decides and who pays?

Tim Rouse, executive director of the SPARK Institute, said service providers still are wrestling with the exact definition of a computer breach — an important consideration in establishing protection protocols and insurance coverage.

The trade association's oversight board is working on a definition to provide "meaningful" information to avoid having executives responding to minor incidents and alerts that pile up, creating a form of technological white noise, he said. "We don't have a good definition of one now," Mr. Rouse said.